2.4 Cryptographic Risks
Cryptography should not be undertaken lightly. While it can significantly help secure information in a database, cryptography carries risk as well.
Perhaps the most obvious risk is the danger of lost keys. Should a key become lost, either corrupted or deleted or even accidentally thrown away, any data encrypted with that key is also lost. There is no "undelete" or "data recovery" program that can undo the encryption. All it takes is the loss of just 128 bits (the recommended size of a key in this book), and megabytes of data become meaningless. This threat is one of the reasons that key management is such an important topic in cryptography.
As mentioned earlier, weaknesses in key management tools and procedures can put overall security at risk. If an attacker can access the key, directly or indirectly, or insert a known key into the system, the cryptography is broken.3 If the key generation routines aren’t based on sufficiently random numbers, the attacker may be able to guess the key.
Implementation bugs also introduce risks. If other data used in the encryption process, such as initialization vectors, which are covered later, does not possess the appropriate properties, attackers will likely be able to discern patterns in the encrypted data and possibly deduce the real data. If the data is written to logs or even not wiped from memory, it is vulnerable to attackers. Even if the key management is perfect and the implementation bug-free, indirect access to the keys is still a significant issue.
Because poor encryption looks so similar to good encryption, it generates misplaced confidence, which can amplify the risks posed by the data. An encrypted system may not have as many other controls placed around it, so any vulnerabilities are even more exposed. In this way, a bad cryptographic system can decrease the data’s security.
It is vitally important that the cryptographic infrastructure be designed and implemented correctly. Later chapters go into detail on the design of a cryptographic infrastructure.